CASS INFORMATION SYSTEMS INC (CASS) Business

ITEM 1. BUSINESS

Description of Business

Cass Information Systems, Inc. (“Cass” or the “Company”) provides payment and information processing services to large manufacturing, distribution and retail enterprises across the United States. The Company’s services include freight invoice rating, payment processing, auditing, and the generation of accounting and transportation information. Cass also processes and pays facility-related invoices, which include electricity and gas as well as waste and telecommunications expenses. Cass solutions include integrated payments, a B2B payment platform for clients that require an agile fintech partner. Additionally, the Company offers a church management software solution and an on-line platform to provide generosity services for faith-based and non-profit organizations. The Company’s bank subsidiary, Cass Commercial Bank (the “Bank”), supports the Company’s payment operations. The Bank also provides banking services to its target markets, which include privately held businesses in the St. Louis metropolitan area and restaurant franchises and faith-based ministries within the United States.

On April 7, 2025, the Company signed an Asset Purchase Agreement providing for the sale of its telecom expense management and managed mobility solutions business unit ("TEM Business Unit") to Asignet USA Inc ("Asignet") for a purchase price of $18.0 million. The sale closed on June 30, 2025. The Company also signed a Transition Services Agreement with Asignet to provide certain information technology, data ingestion, and payment processing services for a period of time not to exceed 18 months after closing.

Company Strategy and Core Competencies

Cass is an information services company with a primary focus on processing payables and payables-related transactions for large corporations located in the United States. Cass possesses four core competencies that encompass most of its processing services.

Data acquisition – This refers to the gathering of data elements from diverse, heterogeneous sources and the building of complete databases for our customers. Data is the raw material of the information economy. Cass gathers vital data from complex and diverse input documents, electronic media, proprietary databases and data feeds, including data acquired from vendor invoices as well as customer procurement and sales systems. Through its numerous methods of obtaining streams and pieces of raw data, including those supported by artificial intelligence ("AI"), Cass is able to assemble vital data into centralized data management systems and warehouses, thus producing an engine to create the power of information for managing critical corporate functions and processing systems.

Data management – Once data is assembled, Cass is able to utilize the power from derived information to produce significant savings and benefits for its clients. This information is integrated into customers’ unique financial and accounting systems, eliminating the need for internal accounting processing and providing internal and external support for these critical systems. Information is also used to produce management and exception reporting for operational control, feedback, planning assistance and performance measurement.

Business Intelligence – Receiving information in the right place at the right time and in the required format is paramount for business survival. Cass’ information delivery solutions provide reports, digital images, data files and retrieval capabilities through the internet or directly into customer internal systems. Cass’ proprietary internet management delivery system is the foundation for driving these critical functions. Transaction, operational, control, status and processing exception information are all delivered through this system creating an efficient, accessible and highly reliable asset for Cass customers.

Financial exchange – Since Cass is unique among its competition in that it owns a commercial bank, it is also able to manage the movement of funds from its customers to their suppliers. This is a distinguishing factor, which clearly requires the processing capability, operating systems and financial integrity of a banking organization. Cass provides immediate, accurate, controlled and protected funds management and transfer system capabilities for all of its customers. Old and costly check processing and delivery mechanisms are replaced with more efficient electronic cash management and funds transfer systems.

1

Table of Contents

Cass’ core competencies allow it to perform the highest volumes of transaction processing in an integrated, efficient and systematic approach. Not only is Cass able to process the transaction, it is also able to collect the data defining the transaction and effect the financial payment governing its terms.

These core competencies, enhanced through shared business processes, drive Cass’ strategic business units. Building upon these foundations, Cass continues to explore new business opportunities that leverage these competencies and processes.

Marketing, Customers and Competition

The Company, through its Transportation Information Services business unit, is one of the largest firms in the transportation bill processing and payment industry in the United States based on the total dollars of transportation bills paid and items processed. Competition consists of a few primary competitors and numerous small transportation bill audit firms located throughout the United States. While offering transportation payment services, few of these audit firms compete on a national basis. These competitors compete mainly on price, functionality and service levels. The Company, through its Facilities Expense Management business unit, also competes with other companies located throughout the United States that pay utility bills and provide management reporting. Available data indicates that the Company is one of the largest providers of utility information processing and payment services. Cass is unique among these competitors in that it is not exclusively affiliated with any one energy service provider (“ESP”). Various ESPs market the Company’s services, adding value with their unique auditing, consulting and technological capabilities. Many of Cass’ services are customized for the ESPs, providing a full-featured solution without any development costs to the ESP. The Company's TouchPoint division offers a church management software solution and an on-line platform to provide generosity services for faith-based and non-profit organizations, which is a complementary service offering to the Bank’s faith-based customers. Also, the Company, through its CassPay operation, competes with providers of corporate payment solutions.

The Bank is organized as a Missouri trust company with banking powers and was founded in 1906. The Company was originally classified as a bank holding corporation due to its ownership of a federally-insured commercial bank and was originally organized in 1982 as Cass Commercial Corporation under the laws of Missouri. Approval by the Board of Governors of the Federal Reserve System was received in February 1983. The Company changed its name to Cass Information Systems, Inc. in January 2001. In December 2011, the Federal Reserve Bank (“FRB”) of St. Louis approved the election of Cass Information Systems, Inc. to become a financial holding company. As a financial holding company, Cass may engage in activities that are financial in nature or incidental to a financial activity. The Bank encounters competition from numerous banks and financial institutions located throughout the St. Louis, Missouri metropolitan area and other areas in which the Bank competes. The Bank’s principal competitors, however, are large bank holding companies that are able to offer a wide range of banking and related services through extensive branch networks. The Bank targets its services to privately held businesses, restaurant franchises, and faith-based ministries located in St. Louis, Missouri and other selected cities located throughout the United States.

The Company holds several trademarks for the payment and rating services it provides. These include: FreightPay®, Transdata®, Ratemaker®, Best Rate®, Rate Exchange®, CassPort®, Cass Freight Index®, Cass Truckload Linehaul Index®, Cass Intermodal Price Index® Expense$mart®, ExpenseSmart®, TouchPoint®, Gyve®, Generosity Made Simple®, WasteVision™, AcuAudit™ and Direct2Carrier Payments™. The Company holds patents for methods and systems of the following: managing employee-liable expenses, communicating expense management information, electronic auditing, and electronically generating and analyzing shipping parameters. The Company also holds patents for computer readable media for electronic auditing.

The Company and its subsidiaries have a varied client base and are not dependent on any one customer or group of customers for a significant portion of its business.

Employees and Human Capital Resources

The Company and its subsidiaries had 860 full-time and 156 part-time employees as of February 27, 2026, exclusive of discontinued operations. Of these employees, the Bank had 68 full-time and no part-time employees.

Cass has long been committed to comprehensive and competitive compensation and benefits programs to attract and retain talent in a competitive environment. Retention of skilled and highly trained employees is critical as the Company’s future operating results depend substantially upon the continued service of executive officers and key personnel. Furthering the philosophy to attract and retain a pool of talented and motivated employees who will continue to advance the Company’s purpose and contribute to overall success, compensation and benefits programs include: a noncontributory profit sharing

2

Table of Contents

program for exempt employees; a defined contribution 401(k) plan to provide retirement benefits to eligible employees; a performance-based equity compensation program for executive officers and key personnel; and incentive programs for sales personnel. Cass also provides comprehensive health, dental, and vision plans to most employees, as well as free employee assistance programs to all employees and members of their families.

The Company invests in its employees’ futures by assisting with tuition reimbursement for continued education. Employees are also able to participate in educational seminars run by outside parties to maintain and expand professional knowledge.

In order to develop a workforce that aligns with the Company’s corporate values, regularly sponsored campaigns and events occur, such as charitable workplace campaigns, food drives to assist local food banks, and toy drives to support charities during the holidays. The Company offers paid time off for charitable endeavors. Additionally, the Company supports a number of organizations with annual financial contributions.

The Company also continues its commitment to providing a workplace that is free of harassment and discrimination by taking proactive measures and providing all employees with non-discrimination and sexual harassment prevention training on an annual basis. Initiatives are supported and promoted to provide all employees a place where they feel welcomed, appreciated and valued.

Equal opportunities, anti-harassment, non-discrimination, the health and safety of employees and work-life balance are actively promoted as more fully described in the Company's Environmental, Social, and Governance ("ESG") report.

Supervision and Regulation

The Company and its bank subsidiary are extensively regulated under federal and state law. These laws and regulations are intended to primarily protect depositors, not shareholders. The Bank is subject to regulation and supervision by the Missouri Division of Finance, the FRB and the Federal Deposit Insurance Corporation (the “FDIC”). The Company is a financial holding company within the meaning of the Bank Holding Company Act of 1956, as amended (the “BHC Act”), and as such, it is subject to regulation, supervision and examination by the FRB. Significant elements of the laws and regulations applicable to the Company and the Bank are described below. The description is qualified in its entirety by reference to the full text of the statutes, regulations and policies that are described. Also, such statutes, regulations and policies are continually under review by Congress and state legislatures and federal and state regulatory agencies. A change in statutes, regulations or regulatory policies applicable to the Company and its subsidiaries could have a material effect on the business, financial condition and results of operations of the Company.

Bank Holding Company Activities – In general, the BHC Act limits the business of bank holding companies to banking, managing or controlling banks and other related activities. In addition, bank holding companies that qualify and elect to be financial holding companies, such as the Company, may engage in any activity, or acquire and retain the shares of a company engaged in any activity, that is either (i) financial in nature or incidental to such financial activity or (ii) complementary to a financial activity and does not pose a substantial risk to the safety and soundness of depository institutions or the financial system generally. Such permitted activities include securities underwriting and dealing, insurance underwriting and making merchant banking investments.

To maintain financial holding company status, a financial holding company and all of its depository institution subsidiaries must be “well capitalized” and “well managed.” A depository institution subsidiary is considered to be “well capitalized” if it satisfies the requirements for this status discussed in the section “Prompt Corrective Action” below. A depository institution subsidiary is considered “well managed” if it received a composite rating and management rating of at least “satisfactory” in its most recent examination. A financial holding company’s status will also depend upon it maintaining its status as “well capitalized” and “well managed’ under applicable FRB regulations. If a financial holding company ceases to meet these capital and management requirements, the FRB may impose limitations or conditions on the conduct of its activities during the non-compliance period, and the company may not commence any of the broader financial activities permissible for financial holding companies or acquire a company engaged in such financial activities without prior approval of the FRB. If the company does not return to compliance within 180 days, the FRB may require divestiture of the holding company’s depository institutions.

In order for a financial holding company to commence any new activity permitted by the BHC Act or to acquire a company engaged in any new activity permitted by the BHC Act, each insured depository institution subsidiary of the financial

3

Table of Contents

holding company must have received a rating of at least “satisfactory” in its most recent examination under the Community Reinvestment Act. See “Community Reinvestment Act” below.

The FRB has the power to order any bank holding company or its subsidiaries to terminate any activity or to terminate its ownership or control of any subsidiary when the FRB has reasonable grounds to believe that continuation of such activity or such ownership or control constitutes a serious risk to the financial soundness, safety or stability of any bank subsidiary of the bank holding company.

The BHC Act, the Bank Merger Act, and other federal and state statutes regulate acquisitions of banks and banking companies. The BHC Act requires the prior approval of the FRB for the direct or indirect acquisition by the Company of more than 5% of the voting shares or substantially all of the assets of a bank or bank holding company. Under the Bank Merger Act, the prior approval of the FRB or other appropriate bank regulatory authority is required for the Bank to merge with another bank or purchase the assets or assume the deposits of another bank. In reviewing acquisition applications, the bank regulatory authorities will consider, among other things, the competitive effect and public benefits of the transactions, the capital position of the combined organization, the risks to the stability of the U.S. banking or financial system, the applicant’s performance record under the Community Reinvestment Act and its compliance with fair housing laws.

The Dodd-Frank Act – The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), enacted in July 2010, significantly restructured the financial regulatory environment in the United States, affecting all bank holding companies and banks, including the Company and the Bank, some of which are described in more detail below. The impact of the Dodd-Frank Act on the Company and the Bank has been substantial.

Enhanced Prudential Standards – The FRB is required to monitor emerging risks to financial stability and enact enhanced supervision and prudential standards applicable to large bank holding companies and certain non-bank covered companies designated as systemically important by the Financial Stability Oversight Council. The Dodd-Frank Act mandates that certain regulatory requirements applicable to these systemically important financial institutions be more stringent than those applicable to other financial institutions. In 2019, the FRB adopted new rules impacting certain capital and liquidity requirements and other enhanced prudential standards. The final rules assign all domestic bank holding companies with $100 billion or more in total consolidated assets to one of four categories of tailored regulatory requirements. The Company and the Bank are generally not impacted by these rules. The enhanced prudential standards rules, as amended in 2019, require publicly traded bank holding companies with $50 billion or more in total consolidated assets to establish risk committees. Prior to the amendment, the requirement to establish a risk committee was applicable to publicly traded companies with $10 billion or more in consolidated assets.

Dividends and Stock Repurchases – Both the Company and the Bank are subject to various regulations that restrict their ability to pay dividends and the amount of dividends that they may pay. Under the Federal Deposit Insurance Corporation Improvement Act of 1991, a depository institution, such as the Bank, may not pay dividends if payment would cause it to become undercapitalized or if it is already undercapitalized. The payment of dividends by the Company and the Bank may also be affected or limited by other factors, such as the requirement to maintain adequate capital and, under certain circumstances, the ability of federal regulators to prohibit dividend payments as an unsound or unsafe practice.

From time to time, the Company's Board of Directors has authorized stock repurchase plans. Bank holding companies must consult with the Federal Reserve before redeeming any equity or other capital instrument included in tier 1 or tier 2 capital prior to stated maturity, if such redemption could have a material effect on the level or composition of the organization’s capital base. In addition, a bank holding company is unable to repurchase shares equal to 10% or more of its net worth if it would not be well-capitalized (as defined by the Federal Reserve) after giving effect to such repurchase. Bank holding companies experiencing financial weaknesses, or that are at significant risk of developing financial weaknesses, must consult with the Federal Reserve before redeeming or repurchasing common stock or other regulatory capital instruments.

In August 2022, the Inflation Reduction Act of 2022 (the “Inflation Reduction Act") was enacted. Among other things, the Inflation Reduction Act imposes a new 1% excise tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations. With certain exceptions, the value of stock repurchased is determined net of stock issued in the year, including shares issued pursuant to compensatory arrangements.

Capital Requirements – As a bank holding company, the Company and the Bank are subject to capital requirements pursuant to the FRB’s capital guidelines which include (i) risk-based capital guidelines, which are designed to make capital requirements more sensitive to various risk profiles and account for off-balance sheet exposure; (ii) guidelines that consider market risk, which is the risk of loss due to change in value of assets and liabilities due to changes in interest rates; and (iii)

4

Table of Contents

guidelines that use a leverage ratio which places a constraint on the maximum degree of risk to which a financial holding company may leverage its equity capital base.

The Basel III Capital Rules require the Company and the Bank to maintain the following:

•a minimum ratio of common equity Tier 1 capital to risk-weighted assets of at least 4.5%, plus a 2.5% capital conservation buffer (resulting in a minimum common equity Tier 1 capital ratio of 7.0%);

•a minimum ratio of Tier 1 capital to risk-weighted assets of at least 6.0%, plus a 2.5% capital conservation buffer (resulting in a minimum Tier 1 capital ratio of 8.5%);

•a minimum ratio of total capital (that is, Tier 1 plus Tier 2 capital) to risk-weighted assets of at least 8.0%, plus the 2.5% capital conservation buffer (resulting in a minimum total capital ratio of 10.5%); and

•a minimum leverage ratio of 4.0%, calculated as the ratio of Tier 1 capital to adjusted average consolidated assets.

The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions with a ratio of common equity Tier 1 capital to risk-weighted assets above the minimum but below the conservation buffer will face limitations on the payment of dividends, common stock repurchases and discretionary cash payments to executive officers based on the amount of the shortfall.

Common equity Tier 1 capital is generally defined as common stockholders’ equity and retained earnings. Tier 1 capital is generally defined as common equity Tier 1 and Additional Tier 1 capital. Additional Tier 1 capital generally includes certain noncumulative perpetual preferred stock and related surplus and minority interests in equity accounts of consolidated subsidiaries. Total capital includes Tier 1 capital (common equity Tier 1 capital plus Additional Tier 1 capital) and Tier 2 capital. Tier 2 capital is comprised of capital instruments and related surplus meeting specified requirements. Also included in Tier 2 capital is the allowance for credit losses limited to a maximum of 1.25% of risk-weighted assets and, for non-advanced approaches institutions like Cass that have exercised a one-time opt-out election regarding the treatment of Accumulated Other Comprehensive Income (“AOCI”), up to 45% of net unrealized gains on available-for-sale equity investment securities with readily determinable fair market values.

The calculation of all types of regulatory capital is subject to deductions and adjustments specified in the regulations. For instance, the Basel III Capital Rules and the capital simplification rules enacted in 2019 provide for a number of deductions from and adjustments to common equity Tier 1 capital. These include, for example, the requirement that certain deferred tax assets and significant investments in non-consolidated financial entities be deducted from Tier 1 capital to the extent that any one such category exceeds 25% of common equity Tier 1 capital.

In determining the amount of risk-weighted assets for purposes of calculating risk-based capital ratios, all assets, including certain off-balance sheet assets, are multiplied by a risk weight factor assigned by the regulations based on the risks believed inherent in the type of asset. Higher levels of capital are required for asset categories believed to present greater risk. For example, a risk weight of 0% is assigned to cash and U.S. government securities, a risk weight of 50% is generally assigned to prudently underwritten first lien one to four-family residential mortgages, a risk weight of 100% is assigned to commercial and consumer loans, a risk weight of 150% is assigned to certain past due loans, and a risk weight of between 0% to 600% is assigned to permissible equity interests, depending on certain specified factors.

The FRB has authority to establish individual minimum capital requirements in appropriate cases upon a determination that an institution’s capital level is or may become inadequate in light of the particular risks or circumstances. As of December 31, 2025, the Company and the Bank met all capital adequacy requirements under the Basel III Capital Rules.

Source of Strength Doctrine – FRB and other regulations require bank holding companies to act as a source of financial and managerial strength to their subsidiary banks. Under this requirement, the Company is expected to commit resources to support the Bank. Any capital loans by a bank holding company to any of its subsidiary banks are subordinate in right of payment to depositors and to certain other indebtedness of such subsidiary banks. In the event of a bank holding company’s bankruptcy, any commitment by the bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

Deposit Insurance – Substantially all of the deposits of the Bank are insured up to applicable limits by the Deposit Insurance Fund (“DIF”) of the FDIC, and the Bank is subject to deposit insurance assessments to maintain the DIF. Deposit insurance assessments are based on average consolidated total assets minus average tangible equity. Under the FDIC’s risk-based assessment system, insured institutions with less than $10 billion in assets, such as the Bank, are assigned to one of

5

Table of Contents

four risk categories based on supervisory evaluations, regulatory capital level, and certain other factors, with less risky institutions paying lower assessments. An institution’s assessment rate depends upon the category to which it is assigned and certain other factors.

The FDIC established a plan on September 15, 2020 to restore the DIF reserve ratio to meet or exceed the statutory minimum of 1.35% within eight years. This plan did not include an increase in the deposit insurance assessment rate. Based on the FDIC’s recent projections, however, the FDIC determined that the DIF reserve ratio is at risk of not reaching the statutory minimum by the statutory deadline of September 30, 2028 without increasing the deposit insurance assessment rates. In October 2022, the FDIC adopted a final rule to increase initial base deposit insurance assessment rate schedules uniformly by 2 basis points, beginning on January 1, 2023.

In November 2023, the FDIC issued a final rule to implement a special assessment to recover losses to the DIF incurred as a result of bank failures in early 2023 and the FDIC's use of the systemic risk exception to cover certain deposits that were otherwise uninsured. The special assessment was based on estimated uninsured deposits as of December 31, 2022 (excluding the first $5.0 billion) and is being assessed at a quarterly rate of 3.36 basis points, over eight quarterly assessment periods, beginning in the first quarter of 2024. As a result of this final rule, the Company is not accruing expense related to this assessment based on the amount of uninsured deposits at December 31, 2022 of less than $5.0 billion. Under the final rule, the estimated loss pursuant to the systemic risk determination will be periodically adjusted, and the FDIC has retained the ability to cease collection early, extend the special assessment collection period, and impose a final shortfall special assessment on a one-time basis.

In December 2025, based upon the first six quarterly collections of the special assessment and anticipated collections for the seventh quarterly special assessment, the FDIC issued an interim final rule to amend the collection of the special assessment to reduce the eighth quarterly assessment rate from 3.36 basis points to 2.97 basis points. Because the cumulative amount collected through the initial eight quarter special assessment period is projected to equal the FDIC’s loss estimate, the additional two quarter extension of the assessment period was removed. The interim final rule also requires the FDIC to provide an offset to regular quarterly deposit insurance assessments for institutions subject to the special assessment if the aggregate amount collected exceeds estimated losses following the resolution of pending litigation, and again following the termination of any receiverships. As provided in the special assessment rule, if losses at the termination of any receiverships exceed the amount collected, the FDIC will implement a one-time final shortfall special assessment to ensure the full amount of actual losses is recovered as required by law. The extent to which any such future offsets or a future one-time shortfall special assessment will impact the Company's future deposit insurance expense is currently uncertain.

FDIC insurance expense totaled $628,000, $638,000 and $603,000 for the years ended December 31, 2025, 2024 and 2023, respectively.

The FDIC may terminate deposit insurance upon a finding that the institution has engaged in unsafe and unsound practices, is in an unsafe or unsound condition to continue operations, or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC.

Prompt Corrective Action – The Basel III Capital Rules incorporate new requirements into the prompt correction action framework, described above. The Federal Deposit Insurance Act (“FDIA”) requires that federal banking agencies take “prompt corrective action” against depository institutions that do not meet minimum capital requirements and includes the following five capital tiers: “well-capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized” and “critically undercapitalized.” A depository institution’s capital tier will depend upon how its capital levels compare with various relevant capital measures and certain other factors, as established by regulation.

A depository institution is deemed to be (i) “well-capitalized” if the institution has a total risk-based capital ratio of 10% or greater, a Tier 1 risk-based capital ratio of 8% or greater, a leverage ratio of 5% or greater, a common equity Tier 1 ratio of 6.5% or greater and is not subject to any regulatory order agreement or written directive to meet and maintain a specific capital level for any capital measure; (ii) “adequately capitalized” if the institution has a total risk-based capital ratio of 8% or greater, a Tier 1 risk-based capital ratio of 6% or greater, a leverage ratio of 4% or greater, a common equity Tier 1 ratio of 4.5% or greater and does not meet the definition of “well capitalized”; (iii) “undercapitalized” if the institution has a total risk-based capital ratio that is less than 8%, a Tier 1 risk-based capital ratio of less than 6%, a leverage ratio of less than 4% or a common equity Tier 1 ratio of less than 4.5%; (iv) “significantly undercapitalized” if the institution has a total risk-based capital ratio of less than 6%, a Tier 1 risk-based capital ratio of less than 4%, a leverage ratio of less than 3% or a common equity Tier 1 ratio of less than 3%; and (v) “critically undercapitalized” if the institution has a ratio of tangible

6

Table of Contents

equity (as defined in the regulations) to total assets that is equal to or less than 2%. An institution may be deemed to be in a capital category that is lower than indicated by its capital ratios if it is determined to be in an unsafe or unsound condition or if it receives an unsatisfactory examination rating with respect to certain matters. A bank’s capital category is determined solely for the purpose of applying prompt corrective action regulations, and the capital category may not constitute an accurate representation of the bank’s overall financial condition or prospects for other purposes.

Subject to a narrow exception, a receiver or conservator is required to be appointed for an institution that is “critically undercapitalized” within specified time frames. The regulations also provide that a capital restoration plan must be filed with the FRB within 45 days of the date an institution is deemed to have received notice that it is “undercapitalized,” “significantly undercapitalized” or “critically undercapitalized.” Compliance with the plan must be guaranteed by any parent holding company up to the lesser of 5% of the institution’s total assets when it was deemed to be undercapitalized or the amount necessary to achieve compliance with applicable capital requirements. In addition, numerous mandatory supervisory actions become immediately applicable to an undercapitalized institution including, but not limited to, increased monitoring by regulators and restrictions on growth, capital distributions and expansion. The FRB could also take any one of a number of discretionary supervisory actions, including the issuance of a capital directive and the replacement of senior executive officers and directors. Significantly and critically undercapitalized institutions are subject to additional mandatory and discretionary measures.

As of December 31, 2025, the most recent notification from the regulatory agencies categorized the Company and the Bank as well-capitalized. For further information regarding the capital ratios and leverage ratio of the Company and the Bank, see Item 8, Note 3 of this report.

Safety and Soundness Regulations – In accordance with the FDIA, the federal banking agencies adopted guidelines establishing general standards relating to internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate risk exposure, asset growth, asset quality, earnings, compensation, fees and benefits. In general, the guidelines require that institutions maintain appropriate systems and practices to identify and manage the risks and exposures specified in the guidelines. The guidelines prohibit excessive compensation as an unsafe and unsound practice and describe compensation as excessive when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director or principal shareholder. In addition, regulations adopted by the federal banking agencies authorize the agencies to require that an institution that has been given notice that it is not satisfying any of such safety and soundness standards to submit a compliance plan. If the institution fails to submit an acceptable compliance plan or fails in any material respect to implement an accepted compliance plan, the agency must issue an order directing corrective actions and may issue an order directing other actions of the types to which an undercapitalized institution is subject under the “prompt corrective action” provisions of FDIA. If the institution fails to comply with such an order, the agency may seek to enforce such order in judicial proceedings and to impose civil money penalties.

Loans-to-One-Borrower – The Bank generally may not make loans or extend credit to a single or related group of borrowers in excess of 15% of unimpaired capital and surplus. An additional amount may be loaned, up to 10% of unimpaired capital and surplus, if the loan is secured by readily marketable collateral, which generally does not include real estate. As of December 31, 2025, the Bank was in compliance with the loans-to-one-borrower limitations.

Depositor Preference – The FDIA provides that, in the event of the “liquidation or other resolution” of an insured depository institution, the claims of depositors of the institution, including the claims of the FDIC as subrogee of insured depositors, and certain claims for administrative expenses of the FDIC as a receiver, will have priority over other general unsecured claims against the institution. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will have priority in payment ahead of unsecured, non-deposit creditors, including depositors whose deposits are payable only outside of the United States and the parent bank holding company, with respect to any extensions of credit they have made to such insured depository institution.

Community Reinvestment Act – The Community Reinvestment Act of 1977 (“CRA”) requires depository institutions to assist in meeting the credit needs of their market areas consistent with safe and sound banking practice. Under the CRA, each depository institution is required to help meet the credit needs of its market areas by, among other things, providing credit to low- and moderate-income individuals and communities. Depository institutions are periodically examined for compliance with the CRA and are assigned ratings that must be publicly disclosed. In order for a financial holding company to commence any new activity permitted by the BHC Act, or to acquire any company engaged in any new activity permitted by the BHC Act, each insured depository institution subsidiary of the financial holding company must

7

Table of Contents

have received a rating of at least “satisfactory” in its most recent examination under the CRA. The Bank received a rating of “satisfactory” in its most recent CRA exam.

In October 2023, the Office of the Comptroller of the Currency ("OCC"), together with the Federal Reserve and FDIC, issued a joint final rule to modernize the CRA regulatory framework. The final rule is intended, among other things, to adapt to changes in the banking industry, including the expanded role of mobile and online banking, and to tailor performance standards to account for differences in bank size and business models. The final rule introduces new tests under which the performance of banks with over $2 billion in assets will be assessed. The new rule also includes data collection and reporting requirements, some of which are applicable only to banks larger than the Bank and updates the definitions of community development and process by which banks can seek approval of qualifying projects. Most provisions of the final rule became effective on January 1, 2026, and the data reporting requirements will become effective on January 1, 2027.

Financial Privacy – Banks and other financial institutions are subject to regulations that limit their ability to disclose non-public information about consumers to nonaffiliated third parties. These limitations require disclosure of privacy policies to consumers and affect how consumer information is transmitted through diversified financial companies and conveyed to outside vendors.

The Bank is also subject to regulatory guidelines establishing standards for safeguarding customer information and maintaining information security programs. The standards set forth in the guidelines are intended to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

Transactions with Affiliates – Transactions between the Bank and its affiliates are subject to regulations that limit the types and amounts of covered transactions engaged in by the Bank and generally require those transactions to be on an arm’s-length basis. The term “affiliate” is defined to mean any company that controls or is under common control with the Bank and includes the Company and its non-bank subsidiaries. “Covered transactions” include a loan or extension of credit, as well as a purchase of securities issued by an affiliate, certain purchases of assets from the affiliate, certain derivative transactions that create a credit exposure to an affiliate, the acceptance of securities issued by the affiliate as collateral for a loan, and the issuance of a guarantee, acceptance or letter of credit on behalf of an affiliate. In general, these regulations require that any such transaction by the Bank (or its subsidiaries) with an affiliate must be secured by designated amounts of specified collateral and must be limited to certain thresholds on an individual and aggregate basis.

Federal law also limits the Bank’s authority to extend credit to its directors, executive officers and 10% shareholders, as well as to entities controlled by such persons. Among other things, extensions of credit to insiders are required to be made on terms that are substantially the same as, and follow credit underwriting procedures that are not less stringent than those prevailing for comparable transactions with unaffiliated persons. Also, the terms of such extensions of credit may not involve more than the normal risk of repayment or present other unfavorable features and may not exceed certain limitations on the amount of credit extended to such persons, individually and in the aggregate, which limits are based, in part, on the amount of the Bank’s capital.

Cybersecurity – Federal regulators regularly issue new and updated guidance and standards regarding cybersecurity intended to enhance cyber risk management among financial institutions and public companies generally. Financial institutions are expected to comply with such guidance and standards and develop appropriate risk management processes and security controls. If the Company fails to observe the regulatory guidance, it could be subject to various regulatory sanctions, including financial penalties.

In November 2021, the federal banking agencies adopted a final rule requiring banking organizations to notify their primary banking regulator within 36 hours of determining that a “computer-security incident” has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base, its businesses and operations that would result in material loss, or its operations that would impact the stability of the United States. Banking organizations are also required to notify each affected customer as soon as possible in the event of an incident that results in actual or potential harm to the integrity or availability of information and systems or that violates or threatens to violate the organization’s security for four or more hours.

8

Table of Contents

Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. See Item 1A, “Risk Factors” for a further discussion of risks related to cybersecurity.

Anti-Money Laundering - The Bank Secrecy Act, as amended by the Patriot Act and Anti-Money Laundering Act of 2020, contains anti-money laundering and financial transparency provisions intended to detect and prevent the use of the U.S. financial system for money laundering and terrorist financing activities. The Bank Secrecy Act requires financial institutions such as depository institutions to undertake activities, including maintaining an AML program, verifying the identity of customers, verifying the identity of certain beneficial owners for legal entity customers, monitoring for and reporting suspicious transactions, reporting on cash transactions exceeding specified thresholds, and responding to requests for information by regulatory authorities and law enforcement agencies. The Company is subject to the Bank Secrecy Act and, therefore, is required to implement compliance policies, procedures, and internal controls, provide its employees with AML training, designate an AML compliance officer, and undergo periodic independent auditing and testing to assess the effectiveness of its AML program, among other requirements. The Company has implemented an AML compliance program, including policies, procedures, and internal controls that are designed to comply with these AML requirements. Bank regulators continue to focus their examinations on AML compliance, and the Company will continue to monitor and augment, where necessary, its AML compliance programs. The federal banking agencies are required, when reviewing bank and BHC acquisition or merger applications, to take into account the effectiveness of the AML activities of the applicant.

The Anti-Money Laundering Act of 2020, enacted as part of the National Defense Authorization Act, requires the U.S. Treasury to issue National Anti-Money Laundering and Countering the Financing of Terrorism Priorities, and conduct studies and issue regulations that may, over the next few years, significantly alter some of the due diligence, recordkeeping, and reporting requirements that the Bank Secrecy Act imposes on banks. The Anti-Money Laundering Act of 2020 also contains provisions that promote increased information-sharing and use of technology and increases penalties for violations of the Bank Secrecy Act and includes whistleblower incentives, both of which could increase the prospect of regulatory enforcement.

Other Regulations – The operations of the Company and the Bank are also subject to:

•Truth-In-Lending Act, governing disclosures of credit terms to consumer borrowers;

•Fair Credit Reporting Act, governing the provision of consumer information to credit reporting agencies and the use of consumer information;

•Fair Debt Collection Act, governing the manner in which consumer debts may be collected by collection agencies;

•Electronic Funds Transfer Act, governing automatic deposits to and withdrawals from deposit accounts and customers’ rights and liabilities arising from the use of automated teller machines and other electronic banking services.

•Fair Housing Act, Home Mortgage Disclosure Act, and Real Estate Settlement Procedures Act, prohibiting discrimination against borrowers seeking housing and mortgages; requiring transparency and public reporting on mortgage and lending activities; and requiring that borrowers for mortgage loans for one- to four-family residential real estate receive various disclosures, including good faith estimates of settlement costs, lender servicing and escrow account practices, and prohibiting certain practices that increase the cost of settlement services;

•Equal Credit Opportunity Act, prohibiting discrimination on the basis of race, creed or other prohibited factors in extending credit;

•Check Clearing for the 21st Century Act (also known as “Check 21”), which gives “substitute checks,” such as digital check images and copies made from that image, the same legal standing as the original paper check.

Certain of these laws are consumer protection laws that extensively govern the Company’s relationship with its customers. Violations of applicable consumer protection laws can result in significant potential liability from litigation brought by customers, including actual damages, restitution and attorneys’ fees. Federal bank regulators, state attorneys general and state and local consumer protection agencies may also seek to enforce consumer protection requirements and obtain these and other remedies, including regulatory sanctions, customer rescission rights, action by the state and local attorneys general in each jurisdiction in which the Company operates and civil money penalties. Failure to comply with consumer protection requirements may also result in the Company’s inability to pursue merger or acquisition transactions.

9

Table of Contents

Website Availability of SEC Reports

Cass files annual, quarterly and current reports with the Securities and Exchange Commission (the “SEC”). Cass will, as soon as reasonably practicable after they are electronically filed with or furnished to the SEC, make available free of charge on its website each of its Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, all amendments to those reports, and its definitive proxy statements. The address of Cass’ website is: www.cassinfo.com.

The reference to the Company’s website address does not constitute incorporation by reference of the information contained on the website and should not be considered part of this report.

Statistical Disclosure by Bank Holding Companies

For the statistical disclosure by bank holding companies, refer to Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations.”